patterns & practices Security Code Review Index

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies.
This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Contents

Security Code Review Approach

The purpose of a security code review is to inspect source code to discover security issues before testing and deployment begin. The four major code review steps are shown in Figure 1.

Figure 1. Code review steps

Review your code each time there is a meaningful change instead of reviewing it all at once at the end of the project. This allows you to focus on what has changed rather than trying to find all the issues at once.

Step 2. Perform a preliminary scan. Use static analysis to find an initial set of security issues and improve your understanding of where the security issues are most likely to be discovered through further review.

Step 3. Review the code for security issues. Review the code thoroughly with the goal of finding security issues that are common to many applications. You can use the results of step two to focus your analysis.

Step 4. Review for security issues unique to the architecture. Complete a final analysis looking for security issues that relate to the unique architecture of your application. This step is most important if you have implemented a custom security mechanism or any feature designed specifically to mitigate a known security threat.

Baseline Activity

The baseline activity shows you the techniques and steps to perform an effective security code review. Use the baseline activity in conjunction with the companion question lists and checklists to perform a security code review.

Technical Support

Technical support for the Microsoft products and technologies referenced in this guidance is provided by Microsoft Support Services. For product support information, see the Microsoft Support Web site at http://support.microsoft.com.

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies.
This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Show:
Inherited
Protected

Was this page helpful?

Your feedback about this content is important.Let us know what you think.